UK Employer Rules · 2026
Can my employer share my personal data with others?
Legal basis
UK GDPR Articles 5 (principles), 6 (lawful basis), 9 (special category data including health); Data Protection Act 2018; ICO Employment Practices Code; ICO Guide to Employment Monitoring.
When they CAN do it
Your employer CAN share your data if: (1) you've given consent (must be specific, informed, freely given); (2) it's necessary to perform your contract (e.g., payroll provider, pension scheme); (3) legal obligation (HMRC, regulator, court order); (4) legitimate interest balanced against your privacy (e.g., sharing within group companies for HR); (5) it's anonymised so you can't be identified. Special category data (health, race, religion, sexual orientation, trade union) needs additional Article 9 justification.
When they CANNOT do it
Your employer CANNOT: share data outside the lawful basis; share special category data (health, disability, religion) without explicit consent or strong Article 9 ground; share with third parties for marketing without your consent; share data with overseas entities without UK GDPR transfer safeguards; share more data than necessary for the purpose; retain data longer than needed; ignore your rights to access, rectify, erase.
What you should do
1) Read your employer's Privacy Notice (legally required) — should specify what data is shared, with whom, why, and how long retained. 2) File a DSAR if you suspect inappropriate sharing — costs nothing, 1-month response. 3) For specific concerns (e.g., medical data shared with line manager), ask in writing what the lawful basis is. 4) Withdraw consent for any consent-based processing. 5) ICO complaint (free) for breaches. 6) Tribunal/county court claim for damages where breach has caused you harm.
Worked example
Chris had a mental health absence. His line manager told colleagues 'Chris is on stress leave'. Chris hadn't disclosed this — only HR and Occupational Health knew. He filed a DSAR; revealed that his manager had been told the diagnosis verbally with no record of consent. Chris complained to ICO; employer received a formal action. He recovered £5,000 in tribunal damages for distress + the manager was disciplined.
Red flags — when to escalate
🚨 Medical/absence reasons known by colleagues outside HR. 🚨 No Privacy Notice provided at induction. 🚨 Line managers asked for 'background' on staff with detailed personal info. 🚨 Data shared with third parties without notice. 🚨 Mass-emails CC'ing personal addresses. 🚨 Photographs/videos used in marketing without consent.
Recruiter pro tip
Special category data (health, disability, ethnicity, religion, sexual orientation, trade union) has dramatically higher protection under UK GDPR Article 9. If your employer has shared any of this internally without explicit consent, that's a clear breach. The ICO route is free and powerful — they can issue formal actions, fines, and require remediation. For damages, the courts are increasingly willing to award £1,500-£10,000 for distress in clear breach cases.
Related questions
Can my employer read my work emails or monitor my computer?
Yes, but only with a clear, proportionate monitoring policy that you've been informed of, and only for a legit…
Can my employer refuse to give me a reference or give a bad one?
Mostly yes — there's no general legal duty to provide a reference (some regulated sectors like financial servi…
Can my employer dismiss me without warning?
Almost never. Once you have 2 years' continuous service, your employer must follow a fair procedure (warnings,…
Related across UK Rights & Guides